FEDORA-2015-5468 created by jcollie 6 years ago for Fedora 21
obsolete

The Asterisk Development Team has announced the release of Asterisk 11.17.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.17.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you!

The following are the issues resolved in this release:

New Features made in this release:

  • ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation (Reported by Dwayne Hubbard)

Bugs fixed in this release:

  • ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in res_odbc (Reported by ibercom)
  • ASTERISK-22436 - [patch] No BYE to masqueraded channel on INVITE with replaces (Reported by Eelco Brolman)
  • ASTERISK-24479 - Enable REF_DEBUG for module references (Reported by Corey Farrell)
  • ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to fully disconnect underlying socket, leading to events being dropped with no additional information (Reported by Matt Jordan)
  • ASTERISK-24772 - ODBC error in realtime sippeers when device unregisters under MariaDB (Reported by Richard Miller)
  • ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove (Reported by Corey Farrell)
  • ASTERISK-24799 - [patch] make fails with undefined reference to SSLv3_client_method (Reported by Alexander Traud)
  • ASTERISK-24787 - [patch] - Microsoft exchange incompatibility for playing back messages stored in IMAP - play_message: No origtime (Reported by Graham Barnett)
  • ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc OSX with 64 bit integers (Reported by Corey Farrell)
  • ASTERISK-24796 - Codecs and bucket schema's prevent module unload (Reported by Corey Farrell)
  • ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML (Reported by Ashley Sanders)
  • ASTERISK-24797 - bridge_softmix: G.729 codec license held (Reported by Kevin Harwell)
  • ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid thread ID being passed to pthread_kill (Reported by JoshE)
  • ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime fail (Reported by Terry Wilson)
  • ASTERISK-23214 - chan_sip WARNING message 'We are requesting SRTP for audio, but they responded without it' is ambiguous and wrong in some cases (Reported by Rusty Newton)
  • ASTERISK-15434 - [patch] When ast_pbx_start failed, both an error response and BYE are sent to the caller (Reported by Makoto Dei)
  • ASTERISK-18105 - most of asterisk modules are unbuildable in cygwin environment (Reported by feyfre)
  • ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
  • ASTERISK-24838 - chan_sip: Locking inversion occurs when building a peer causes a peer poke during request handling (Reported by Richard Mudgett)
  • ASTERISK-24825 - Caller ID not recognized using Centrex/Distinctive dialing (Reported by Richard Mudgett)
  • ASTERISK-24739 - [patch] - Out of files -- call fails -- numerous files with inodes from under /usr/share/zoneinfo, mostly posixrules (Reported by Ed Hynan)
  • ASTERISK-23390 - NewExten Event with application AGI shows up before and after AGI runs (Reported by Benjamin Keith Ford)
  • ASTERISK-24786 - [patch] - Asterisk terminates when playing a voicemail stored in LDAP (Reported by Graham Barnett)
  • ASTERISK-24808 - res_config_odbc: Improper escaping of backslashes occurs with MySQL (Reported by Javier Acosta)
  • ASTERISK-20850 - [patch]Nested functions aren't portable. Adapting RAII_VAR to use clang/llvm blocks to get the same/similar functionality. (Reported by Diederik de Groot)
  • ASTERISK-19470 - Documentation on app_amd is incorrect (Reported by Frank DiGennaro)
  • ASTERISK-21038 - Bad command completion of "core set debug channel" (Reported by Richard Kenner)
  • ASTERISK-18708 - func_curl hangs channel under load (Reported by Dave Cabot)
  • ASTERISK-16779 - Cannot disallow unknown format '' (Reported by Atis Lezdins)
  • ASTERISK-24876 - Investigate reference leaks from tests/channels/local/local_optimize_away (Reported by Corey Farrell)
  • ASTERISK-24817 - init_logger_chain: unreachable code block (Reported by Corey Farrell)
  • ASTERISK-24880 - [patch]Compilation under OpenBSD (Reported by snuffy)
  • ASTERISK-24879 - [patch]Compilation fails due to 64bit time under OpenBSD (Reported by snuffy)

Improvements made in this release:

  • ASTERISK-24790 - Reduce spurious noise in logs from voicemail - Couldn't find mailbox %s in context (Reported by Graham Barnett)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.17.0 The Asterisk Development Team has announced security releases for Certified Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

  • AST-2014-019: Remote Crash Vulnerability in WebSocket Server

When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash.

For more information about the details of this vulnerability, please read security advisory AST-2014-019, which was released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2

The security advisory is available at:

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

  • AST-2014-019: Remote Crash Vulnerability in WebSocket Server

When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash.

For more information about the details of this vulnerability, please read security advisory AST-2014-019, which was released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2

The security advisory is available at:

This update has been submitted for testing by jcollie.

6 years ago

Taskotron: depcheck test PASSED on i386. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/54465/steps/runtask/logs/stdio (results are informative only)

Taskotron: depcheck test PASSED on x86_64. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/54465/steps/runtask/logs/stdio (results are informative only)

This update is currently being pushed to the Fedora 21 testing updates repository.

6 years ago

This update has been pushed to testing

6 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
6 years ago
in testing
6 years ago
BZ#1173002 CVE-2014-9374 asterisk: Remote Crash Vulnerability in WebSocket Server (AST-2014-019)
0
0
BZ#1173003 asterisk: Remote Crash Vulnerability in WebSocket Server (AST-2014-019) [fedora-all]
0
0

Automated Test Results